Six ways doctors often break the law when taking clinical photos

Using the default camera app, or the camera built in to messaging apps, almost always results in a breach of privacy regulations.

1

Express consent isn't documented

2

Photos are stored on your phone

3

Photos are auto-uploaded to iCloud

4

Photos aren't de-identified properly

5

Lose your phone, lose patient data

6

Sent insecurely via email or SMS

1. Express Consent Isn't Documented Properly

Doctors often don't get consent, and when they do, they don't record it properly. A whopping 82% of the time, doctors don't document consent when taking a photo. A study among dermatologists revealed that only 2% obtained written consent! While 46% received verbal consent, they failed to document this.

2. Clinical Photos Are Stored Alongside Personal Photos

In a 2016 study, 73% of doctors admitted to storing clinical photos among their private photos, while 26% admitted to accidentally having shown a clinical photograph on their phone to friends or family! That's an instant privacy breach.

3. Patient Data Leaves the Country

There are two ways in which you can inadvertently be sending data cross borders:

All iOS and Android devices steer you into automatically backing up your photos to their servers by default.

If sending a text message from an iPhone to a recipient with an iPhone, it is, by default, sent via iMessage, not SMS. If sent via iMessage, although encrypted, data again leaves the country. See the FAQ Is sending patient data via iMessage safe? for more.

4. De-identifying Photos Isn't/Can't Be Done Properly

Many operate under the assumption that they can merely de-identify the photos by not showing the patients face; however, this is not sufficient. Photos taken on the default camera app (or the camera within messaging apps) contain all sorts of metadata that can be used to identify the patient. See "Am I okay to use the default camera app if I de-identify photos?" in the FAQs for more.

5. Clinical Photos Are Accessible If You Lose Your Phone

Fortunately, all new iOS and Android phones have some form of a passcode, or facial recognition turned on by default. Unfortunately, between 11% and 15% of iOS devices, and around 33% of Android devices don't have it turned on.

While newer versions of iOS and Android push people into using passcodes, fingerprint scanners or face recognition, sometimes (on some Android devices) these methods are quite easy to "hack". Whether such measures are considered "reasonable" has not been legally tested.

£500,000 fines for a privacy breach!

Sending patient data unencrypted is like sending a postcard. Content, as it travels across the Internet, can be easily intercepted leaving you exposed to significant fines for each privacy breach. Individual trusts could face penalties of up to £500,000 if breaches lead to substantial damage or distress to patients. £3,000,000 in privacy fines were issued in 2016.

Protect Doctors From Cyber-extortion

Cyber-extortion is increasing at a rate of 350% per year with "rich" western healthcare systems being prime targets.

As seen on 60 Minutes (America) , there's an unfixable vulnerability in mobile networks meaning it's easy for hackers to intercept text messages from anywhere in the world. All they need is a phone number.

89% of physicians polled admitted to taking clinical photos on their phones, and the practice of then sending them via text message is rife. A hacker can easily intercept messages and threaten to reveal patient data unless they receive an anonymous Bitcoin payment.

The doctor/clinic/hospital is ethically obligated to notify the patient.

The doctor/clinic/hospital is ethically bound to notify the Information Commissioners Office (ICO) of the privacy breach.

Under the Data Protection Act, the doctor/clinic/hospital may be issued a fine up to £500,000 by ICO for using insecure practices.

The responsible doctor may face suspension, dismissal or other disciplinary action for using insecure practices.

The FBI has issued a warning that hackers are actively trying to access patient data to "intimidate, harass and blackmail". By encrypting photos on your device before sending them, PicSafe® helps protect you from this threat.

"Obtain patient consent in ALL cases before taking clinical photographs"